U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology Laboratory

National Vulnerability Database

NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

Status Updates

Latest status update:

May 29, 2024: NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.

With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. 

Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans.

Past status updates:

  • May 20, 2024: On May 8, 2024, the Common Vulnerabilities and Exposures (CVE) program deployed support for the CVE 5.1 record format. Once the deployment started, NIST was not able to process records with the new format until we released a subsequent deployment for NVD-related systems on May 14, 2024. We are now ingesting both CVE 5.0 and CVE 5.1 records into the NVD dataset on an hourly basis and we’re working as fast as we can to return to normal processing. 

  • April 25, 2024: NIST maintains the National Vulnerability Database (NVD), a repository of information on software and hardware flaws that can compromise computer security. This is a key piece of the nation’s cybersecurity infrastructure.

    There is a growing backlog of vulnerabilities submitted to the NVD and requiring analysis. This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support. Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well.

    We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.

    NIST is committed to its continued support and management of the NVD. Currently, we are focused on our immediate plans to address the CVE backlog, but plan to keep the community posted on potential plans for the consortium as they develop. For questions and concerns, you can contact nvd [at] nist.gov (nvd[at]nist[dot]gov).

  • April 9, 2024: To enable more flexibility within our API output we need to remove certain restrictions from the existing 2.0 API schemas. All existing API users will need to download the latest schema files to avoid validation issues later this year. See /cves/ schema restriction update.

  • March 5, 2024: As part of ongoing efforts to increase the reliability and general responsiveness of the 2.0 APIs, the NVD will be making a change to the Match Criteria API. See /cpematch/ resultsPerPage update.

  • February 13, 2024: NIST is working to establish a consortium to improve the NVD program, and there will be some temporary delays in analysis efforts. For more information please review the NVD program transition announcement page.

  • November 6, 2023: The NVD has transitioned from processing the CVE List 4.0 JSON to the CVE List 5.0 JSON. There are quite a few changes to the NVD dataset as a result of this transition. Please make sure to read the details of these changes at the NVD CVE 4.0 to CVE 5.0 transition page.

More historical updates

Stay Connected

Get Our Email Updates 

NVD General Updates list:  Subscribe here

NVD Technical Updates  list:  Subscribe here

Social + Email Us

Check our X feeds: @NISTcyber & @NIST

Email us: nvd [at] NIST.gov (nvd[at]NIST[dot]gov)